Information Security:

IRS Needs to Continue to Address Significant Weaknesses

GAO-10-355: Published: Mar 19, 2010. Publicly Released: Mar 19, 2010.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
contact@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

The Internal Revenue Service (IRS) relies extensively on computerized systems to carry out its demanding responsibilities to collect taxes, process tax returns, and enforce the nation's tax laws. Effective information security controls are essential to protect financial and taxpayer information from inadvertent or deliberate misuse, improper disclosure, or destruction. As part of its audit of IRS's fiscal years 2009 and 2008 financial statements, GAO assessed (1) the status of IRS's actions to correct or mitigate previously reported information security weaknesses and (2) whether controls over key financial and tax processing systems are effective in ensuring the confidentiality, integrity, and availability of financial and sensitive taxpayer information. To do this, GAO examined IRS information security policies, plans, and procedures; tested controls over key financial applications; and interviewed key agency officials at six sites.

IRS has continued to make progress during fiscal year 2009 in correcting previously reported information security weaknesses that GAO reported as unresolved at the conclusion of its fiscal year 2008 audit. Specifically, IRS has corrected or mitigated 28 of the 89 weaknesses and deficiencies--21 of 74 previously identified information security control weaknesses and 7 of 15 previously identified program deficiencies. For example, it has (1) changed vendor-supplied user accounts and passwords; (2) avoided storing clear-text passwords in scripts; (3) enhanced its policies and procedures for configuring mainframe operations; and (4) established an alternate processing site for its procurement system. While IRS has corrected 28 control weaknesses and program deficiencies, 61 of them--or about 69 percent--remain unresolved or unmitigated. For example, IRS continued to install patches in an untimely manner and used passwords that were not complex. In addition, IRS did not always verify that remedial actions were implemented or effectively mitigated the security weaknesses. According to IRS officials, they continued to address uncorrected weaknesses and, subsequent to GAO's site visits, had completed additional corrective actions on some of them. Despite these actions, newly identified and the unresolved information security control weaknesses in key financial and tax processing systems continue to jeopardize the confidentiality, integrity, and availability of financial and sensitive taxpayer information. IRS did not consistently implement controls that were intended to prevent, limit, and detect unauthorized access to its systems and information. For example, IRS did not always (1) enforce strong password management for properly identifying and authenticating users; (2) authorize user access to permit only the access needed to perform job functions; (3) log and monitor security events on a key system; and (4) physically protect its computer resources. A key reason for these weaknesses is that IRS has not yet fully implemented its agencywide information security program to ensure that controls are appropriately designed and operating effectively. Although IRS has made important progress in developing and documenting its information security program, it did not, among other things, review risk assessments at least annually for certain systems or ensure contractors receive awareness training. Until these control weaknesses and program deficiencies are corrected, the agency remains unnecessarily vulnerable to insider threats related to the unauthorized access to and disclosure, modification, or destruction of financial and taxpayer information, as well as the disruption of system operations and services. The new and unresolved weaknesses and deficiencies are the basis for GAO's determination that IRS had a material weakness in internal controls over financial reporting related to information security in fiscal year 2009.

Status Legend:

More Info
  • Review Pending-GAO has not yet assessed implementation status.
  • Open-Actions to satisfy the intent of the recommendation have not been taken or are being planned, or actions that partially satisfy the intent of the recommendation have been taken.
  • Closed-implemented-Actions that satisfy the intent of the recommendation have been taken.
  • Closed-not implemented-While the intent of the recommendation has not been satisfied, time or circumstances have rendered the recommendation invalid.
    • Review Pending
    • Open
    • Closed - implemented
    • Closed - not implemented

    Recommendations for Executive Action

    Recommendation: In addition to implementing our previous recommendations, and to fully implement an agencywide information security program, the IRS should develop and implement policies and procedures for more securely configuring routers to encrypt network traffic, configuring switches to defend against attacks that could crash the network, and for notifying CSIRC of network changes that could affect its ability to detect unauthorized access.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In 2013, we verified that IRS had updated policies and procedures to more securely configure routers and switches.

    Recommendation: In addition to implementing our previous recommendations, and to fully implement an agencywide information security program, the IRS should ensure contractors receive security awareness training within the first 10 working days.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Open

    Comments: We confirmed in 2014 that IRS still faces issues with ensuring that contractors receive security awareness training in a timely manner.

    Recommendation: In addition to implementing our previous recommendations, and to fully implement an agencywide information security program, the IRS should ensure the results of testing and evaluating controls are effectively documented and reviewed.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: In 2013, we verified that IRS ensured the results of testing and evaluating controls were effectively documented and reviewed.

    Recommendation: In addition to implementing our previous recommendations, and to fully implement an agencywide information security program, the IRS should ensure key disaster recovery documentation, such as keystroke manuals, are available in a timely manner, and appropriate contacts are readily identified.

    Agency Affected: Department of the Treasury: Internal Revenue Service

    Status: Closed - Implemented

    Comments: We reported in 2010 that IRS had ensured that key disaster recovery documentation was readily available.

    Jul 29, 2014

    Jul 22, 2014

    Jul 18, 2014

    Jul 7, 2014

    Jul 2, 2014

    Jun 13, 2014

    May 30, 2014

    May 20, 2014

    Apr 21, 2014

    Apr 17, 2014

    Looking for more? Browse all our products here